Pullup ticket 947 - requested by Manuel Bouyer

security fix for mailman

Revisions pulled up:
- pkgsrc/mail/mailman/Makefile			1.27
- pkgsrc/mail/mailman/distinfo			1.9
- pkgsrc/mail/mailman/patches/patch-ac		1.5

   Module Name:		pkgsrc
   Committed By:	bouyer
   Date:		Thu Dec  8 21:09:04 UTC 2005

   Modified Files:
   	pkgsrc/mail/mailman: Makefile distinfo
   Added Files:
   	pkgsrc/mail/mailman/patches: patch-ac

   Log Message:
   Apply patch (from debian via Kimmo Suominen) to address
   http://secunia.com/advisories/17511/ (denial of service).

3 files changed, 60 insertions, 3 deletions

diff --git a/mail/mailman/Makefile b/mail/mailman/Makefile
index 9b5477e1592..aac5c06cd25 100644
--- a/mail/mailman/Makefile
+++ b/mail/mailman/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.23 2005/08/23 11:48:48 rillig Exp $
+# $NetBSD: Makefile,v 1.23.2.1 2005/12/08 22:44:48 salo Exp $
 
 DISTNAME=	mailman-2.1.6
-PKGREVISION=	# empty
+PKGREVISION=	1
 CATEGORIES=	mail www
 MASTER_SITES=	http://www.list.org/ \
 		${MASTER_SITE_GNU:=mailman/}
diff --git a/mail/mailman/distinfo b/mail/mailman/distinfo
index 0bf55c25ea0..b1f267fa8d9 100644
--- a/mail/mailman/distinfo
+++ b/mail/mailman/distinfo
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.8 2005/06/01 23:25:07 bouyer Exp $
+$NetBSD: distinfo,v 1.8.4.1 2005/12/08 22:44:48 salo Exp $
 
 SHA1 (mailman-2.1.6.tgz) = cfabc1629feba109f85e51b85c1f64e4491e7ac4
 RMD160 (mailman-2.1.6.tgz) = 37107687d49d2a67e788fd51e11df5cb4b4e7929
 Size (mailman-2.1.6.tgz) = 6482726 bytes
 SHA1 (patch-aa) = f0bc550b28794008ea840a88a5b0053578f3ae0f
 SHA1 (patch-ab) = 39f6294e53110bd1fd09b1e90ab46820f4d48e3f
+SHA1 (patch-ac) = e539f39a747beae22b07694196092c786318698d
 SHA1 (patch-ad) = 665884b9dd1789e4abd430c762bdbfd707d48d30
 SHA1 (patch-ae) = 6c17de398014217be8f1c7a3b3a6f8d379fc0fb2
 SHA1 (patch-af) = 985a619a055151d998cefd0c1b7280a0d55f889e
diff --git a/mail/mailman/patches/patch-ac b/mail/mailman/patches/patch-ac
new file mode 100644
index 00000000000..9adb099b106
--- /dev/null
+++ b/mail/mailman/patches/patch-ac
@@ -0,0 +1,56 @@
+$NetBSD: patch-ac,v 1.4.4.1 2005/12/08 22:44:48 salo Exp $
+
+Fix for http://secunia.com/advisories/17511/ adapted from
+http://ftp.debian.org/debian/pool/main/m/mailman/mailman_2.1.5-10.diff.gz
+
+--- Mailman/Handlers/Scrubber.py.orig	2005-05-22 22:55:08.000000000 +0300
++++ Mailman/Handlers/Scrubber.py	2005-12-05 12:58:43.000000000 +0200
+@@ -195,7 +195,10 @@ def process(mlist, msg, msgdata=None):
+                     url = save_attachment(mlist, part, dir)
+                 finally:
+                     os.umask(omask)
+-                filename = part.get_filename(_('not available'))
++                try:
++                    filename = part.get_filename(_('not available'))
++                except UnicodeDecodeError:
++                    filename = _('not available')
+                 filename = Utils.oneline(filename, lcset)
+                 del part['content-type']
+                 del part['content-transfer-encoding']
+@@ -300,7 +303,10 @@ Url: %(url)s
+             finally:
+                 os.umask(omask)
+             desc = part.get('content-description', _('not available'))
+-            filename = part.get_filename(_('not available'))
++            try:
++                filename = part.get_filename(_('not available'))
++            except UnicodeDecodeError:
++                filename = _('not available')
+             filename = Utils.oneline(filename, lcset)
+             del part['content-type']
+             del part['content-transfer-encoding']
+@@ -408,7 +414,11 @@ def save_attachment(mlist, msg, dir, fil
+     ctype = msg.get_content_type()
+     # i18n file name is encoded
+     lcset = Utils.GetCharSet(mlist.preferred_language)
+-    filename = Utils.oneline(msg.get_filename(''), lcset)
++    try:
++        filename = msg.get_filename('')
++    except UnicodeDecodeError:
++        filename = ''
++    filename = Utils.oneline(filename, lcset)
+     fnext = os.path.splitext(filename)[1]
+     # For safety, we should confirm this is valid ext for content-type
+     # but we can use fnext if we introduce fnext filtering
+@@ -434,7 +444,10 @@ def save_attachment(mlist, msg, dir, fil
+     try:
+         # Now base the filename on what's in the attachment, uniquifying it if
+         # necessary.
+-        filename = msg.get_filename()
++        try:
++            filename = msg.get_filename()
++        except UnicodeDecodeError:
++            filename = None
+         if not filename or mm_cfg.SCRUBBER_DONT_USE_ATTACHMENT_FILENAME:
+             filebase = 'attachment'
+         else: